Pypdf Library Can Fail to Process Large PDF Files

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.3

Pypdf Library Can Fail to Process Large PDF Files

CVE-2026-27025 GHSA-wgvp-vg3v-2xq3 CVE-2026-27025

Summary

The pypdf library may take a long time or use a lot of memory when processing certain large PDF files. This could cause delays or crashes. Update to the latest version, pypdf 6.7.1, to prevent this issue.

What to do

Update pypdf to version 6.7.1.

Affected software

Vendor	Product	Affected versions	Fix available
–	pypdf	<= 6.7.1	6.7.1
pypdf_project	pypdf	<= 6.7.1	–

Original title

pypdf has possible long runtimes/large memory usage for large /ToUnicode streams

Original description

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extraction. This vulnerability is fixed in 6.7.1.

nvd CVSS3.1 5.5

nvd CVSS4.0 6.9

Vulnerability type

CWE-834

https://nvd.nist.gov/vuln/detail/CVE-2026-27025
https://github.com/advisories/GHSA-wgvp-vg3v-2xq3
https://github.com/py-pdf/pypdf/commit/77d7b8d7cfbe8dd179858dfa42666f73fc6e57a2 Patch
https://github.com/py-pdf/pypdf/pull/3646 Issue Tracking Patch
https://github.com/py-pdf/pypdf/releases/tag/6.7.1 Product Release Notes
https://github.com/py-pdf/pypdf/security/advisories/GHSA-wgvp-vg3v-2xq3 Patch Vendor Advisory
https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27025... Vendor Advisory

Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026